Hi, For sure it is working on MXs and suppose all M - have not enough expirience regarding srx/j.
Krasi On 2 Mar 2012 18:17, "Devin Kennedy" <devinkennedy...@hotmail.com> wrote: > Thanks for your response Krasi. Unfortunately it appears it’s not > supported on the SRX/J series in that way. It won’t commit stating that > it’s the wrong platform for using the logical-interface-policer statement > in that manner.**** > > ** ** > > ** ** > > ** ** > > *From:* Krasimir Avramski [mailto:kr...@smartcom.bg] > *Sent:* Thursday, March 01, 2012 11:16 AM > *To:* Devin Kennedy > *Cc:* juniper-nsp@puck.nether.net > *Subject:* Re: [j-nsp] Dual Stack Aggregate Policing via Firewall Filter** > ** > > ** ** > > Hi, > It is possible to reference logical-interface-policer in > interface-specific filters for inet and inet6 families.**** > > Krasi**** > > On 1 Mar 2012 16:11, "Devin Kennedy" <devinkennedy...@hotmail.com> wrote:* > *** > > Hello: > > > > We are currently testing dual stack CoS on the Juniper platform and we're > not seeing any way to aggregate the policing applied to IPv4 and IPv6. We > want to allocate a customer a specific amount of bandwidth, say 10m > (including both IPv4 and IPv6 traffic in any proportional amount), and have > the traffic policed to 10m regardless of the amount of IPv4 or IPv6 > traffic. > > > > > I see there is an option to use a logical-interface-policer at the unit > level: > > > > firewall policer 10M-policing > > { > > logical-interface-policer; > > if-exceeding { > > bandwidth-limit 10m; > > burst-size-limit 100k; > > } > > then discard; > > } > > > > > > interfaces { > > fe-2/0/3 { > > vlan-tagging; > > unit 200 { > > vlan-id 200; > > policer { > > input 10M-policing; > > output 10M-policing; > > } > > > > However, we are policing differently for each CoS queue so we need to call > policers via MF and BA filters. The problem is that there has to be a > different filter for each family (inet and inet6), so the two are not able > to use an aggregate amount. So if we apply the same 10m policer to each > family it won't aggregate and instead applies an instance of the policer > for > each family (so a total of 20m). > > > > Does anyone know if it's possible to configure an aggregate policer across > two different firewall filters? Below is an example of what we are > currently doing: > > > > ge-0/0/1 { > > per-unit-scheduler; > > vlan-tagging; > > speed 100m; > > link-mode full-duplex; > > gigether-options { > > no-auto-negotiation; > > } > > unit 2001 { > > vlan-id 2001; > > family inet { > > filter { > > output cos_filter; > > } > > address x.x.x.x/30; > > } > > family inet6 { > > filter { > > output cos_filter-v6; > > } > > address x::x/64; > > } > > } > > } > > > > The cos_filter then calls BA and MF filters such as: > > > > [edit] > > juniper@SRX210-2-IPV6# show firewall family inet filter cos1_MF > > term 1 { > > from { > > protocol [ udp tcp ]; > > port 2081; > > } > > then { > > policer cos1_drop_8000K_out_medium; > > count COS1_MF_counter; > > forwarding-class cos1; > > accept; > > } > > } > > > > [edit] > > juniper@SRX210-2-IPV6# show firewall family inet filter cos1_ba > > term 1 { > > from { > > dscp [ 46 40 ]; > > } > > then { > > policer cos1_drop_8000K_out_medium; > > count cos1_BA_PLP_Low_counter; > > forwarding-class cos1; > > accept; > > } > > } > > > > And here is the common policer called by both the inet and inet6 filters > (MF > and BA for each family): > > > > [edit] > > juniper@SRX210-2-IPV6# show firewall policer cos1_drop_8000K_out_medium > > filter-specific; > > if-exceeding { > > bandwidth-limit 8m; > > burst-size-limit 1m; > > } > > then discard; > > > > > > We need that 8m to apply to both families together. Any pointers? > > > > > > > > Thanks, > > > > Devin > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp**** > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp